---
type: "term"
title: "OWASP (Open Worldwide Application Security Project)"
description: "A nonprofit foundation providing freely available resources for web application security, including the OWASP Top 10 list of critical web application security risks."
resource: "tlctc:term:owasp-open-worldwide-application-security-project"
tags:
  - "glossary"
---
# OWASP (Open Worldwide Application Security Project)

A nonprofit foundation providing freely available resources for web application security, including the OWASP Top 10 list of critical web application security risks. In TLCTC: OWASP risks and testing methodologies are considered operational-level detail. The OWASP Top 10 categories map to TLCTC clusters — e.g., "Injection" maps to `#2`/`#3`, "Broken Authentication" maps to `#4`, "Security Misconfiguration" maps to `#1`. TLCTC notes that OWASP (like STRIDE) is "per se incomplete" and recommends always starting threat assessment with the 10 TLCTC clusters.

**Reference:** V1.9.1 §Operational Layer

See also: STRIDE, Sub-Threat, Operational Layer

---